I don't understand why this post has to put "Chinese" in the title?! If the dev was United States citizen, would you rename the title to American dev jailed? Absurdity!
> If the dev was United States citizen, would you rename the title to American dev jailed
The only reason I can think of to not mention the nation that jailed someone for accidentally leaking their employers keys would be because the default assumption would be they are an American.
This wasn't a hack, there was no criminal intent. I think most people assume that the worst consequence for an accident like this is losing your job. The absurdity here is being fined, jailed, and receiving a criminal record.
The fact that the developer was prosecuted under Chinese law is important to an audience of developers who want to know what precedent it sets for their own work.
Sharing private information public either intentional or unintentional that leak customer data and weaken the software security is illegal in any country as far as I know.
I would be really alarmed if this happened in America, as an American developer myself. I obviously wouldn’t think a mistake like this should be criminal.
Register "post" - The Register is not a Chinese publication. The nation/legal system involved can't be assumed from the source, and is a vital part of the story since it's about a legal matter.
> "the Shenzhen Municipal People's Procuratorate – the local version of the Crown Prosecution Service – successfully prosecuted the developer in early April, before the Shenzhen District Court."
Had The Register _not_ included "Chinese" it could have been accused of "click baiting" since the Register's predominantly non Chinese[1] readership might have thought this was about laws that applied to them and clicked through.
Had the source been a Chinese publication writing about a American developer jailed, I'd imagine they would use "American dev jailed..." for exactly the same reasons.
1. "The Register is a leading global online tech publication, with more than nine million monthly unique browsers worldwide. The core audiences are the UK and US, accounting for more than six million. The bulk of the remaining readership are located in Canada, Australia and northern Europe." - https://www.theregister.co.uk/Profile/about_the_register/
I understand HN guideline here. I am talking about the Guardian's post.
Leaking private information to the public even unintentionally , that compromise the security of software and may cause public harm is illegal no matter which country you go. So the nationality of the one who leaked it is irrelevant as far as I am concerned.
Generally it isn't illegal under any system based on common law. A necessary component a crime is mens rea, which is the intention or knowledge of the wrongful act. The act alone, even if it is illegal doesn't constitute a crime.
By this principle it's not a crime for a delvery man to be in posession of contraband that he has no knowledge of. This isn't to be confused with not knowing something is illegal. That's no defense. It's about knowing or not knowing the consequences of your action.
That said there are lesser offences, misdemenors or summary offences, where mens rea is not required. They usually have fines
but also can have limited jail time. For example, you can be punished for speeding and whether you knew you were doing it or not is irrelevent.
What's unclear in this case is whether the developer knew or ought to have known there were secrets in the code, or that his push was to a public place. It's also unclear, at least to me, whether Chinese law requires mens rea.
This is a news story about a specific event. This specific event happened in China, to a Chinese citizen. The whole story is full of specifics - dates, amounts of money, company names, individual names, repository names, direct quotes, etc. These details are the story, the story does not exist with out them. Robbed of those details the article would convey nothing that people want to know. These details also help us relate to the story.
Human elected leader of country.
Weather occurring in geographic region.
Team lost game. Team won game. There will be more games.
Although most keys removed are just useless automatically generated test keys, but genuine keys do exist. Someone should write a crawler to monitor these commits, creates digital signatures from private keys to prove the leak, and notify the CA issuer to revoke them automatically.
I know blackhats and grayhats must have been doing it for years. But I'm not aware there's any bot that acts in a whitehat manner to disclose it to affected parties and conduct public researches, is there? I mean, something like those RSA keys crawling projects by cryptographers that have discovered several types of non-random keys with zero security.
I admit I've been on the receiving side of some notices about low value API keys. https://www.gitguardian.com for example, uses this sort of thing as a public service / sales lead I guess.
From what I was told, around 2014 in China, there used to be a responsible-disclosure platform called WooYun that existed for a while (some of its articles has submitted to ~100 upvotes on HN). It was similar to HackerOne, and attracted a significant number of infosec researchers to hunt bugs and report it to the vendors.
Until 2016, when the government arrested its founders.
* WSJ: China’s ‘White-Hat’ Hackers Fear Dark Times After Community Founder Is Detained
Truly pathetic from DJI's side. And China, but that's to be expected at this point. They do not deserve to have white-hats find their vulns for them.
> "I am done. I will go to jail, and I have to take this stain ... in my life. My girlfriend begin to break up with me, woooo, my family are broken. Fuck!!! What are terrible things! Maybe the only thing I can do now is to die; it is so hard. I need to be free.”
This is horrifying. It honestly makes me feel sick for this poor developer. Companies and nations this cruel have no place in modern society.
There's no reason to be that dramatic. The US often has worse impacts on people's lives. If you're poor and uneducated in this country, one mistake can lead to a lifetime of debt and a cycle of prisons, hospitals, mental health facilities, homeless shelters, and so on. There is no significant social safety net for a large swath of the population (we're talking tens of millions of people) and people's lives are often left in shambles by a system that doesn't operate on empathy.
But also, this person is only facing six months and $30,000. That is no reason to consider suicide. Of course it sucks, but their life isn't over.
In which way? In the way that Aaron Swartz accidentally broke into a closed area and extracted copyrighted material and then apologized for being so clumsy?
My understanding is that the conviction was for deliberately (disregarding the accused's claim to the contrary) publicly sharing his employer's proprietary source code and private keys. Assuming this is actually true, then it's justified that there are legal consequences for sabotaging his employer like this, and most countries have laws penalising such behaviour.
Meanwhile, companies and governments are allowed to 'accidentally' expose all sorts of private information about millions of people without any meaningful punishment.
It seems that a lot of people commenting did not read the whole article. The developer committed four internal repos to DJI's public Github: 'spray-system', 'Management-platform', 'real_time_serve_v1' and 'real_time_serve'. These repos contained a wide variety of secret keys. So it does seem that this was intentional. Even playing devil's advocate because many large companies, Facebook, Google, etc, have systems to mirror part of their internal repos to GitHub, but I can imagine that adding a new path is checked and double checked by multiple people. Also this wasn't just a mistake of one repo, it was four.
I'm making no comment on if the punishment fit the crime, just that by reading the article it does seem that this was very much intentional.
There have been thousands of instances of people unintentionally uploading their private keys to github. It seems at least plausible that this developer just didn't know the implications of what he was doing.
Yea but you've breached NDA and likely committed some kind of intentional sabotage because this was done 4 times, so what happens to you is up to the courts and how you can argue it.
I feel sorry for this dev as I've seen people do a lot of cluelessly dumb shit over the years when it comes to security.
For example, I worked in a place which hires co-op students and every year there'd be at least one university-educated student who --after being told not to-- would put their nondescript FOB security key card in their wallet. In the event they lose their wallet, any stranger can google the name found on their drivers license to find out information about them, their friends, or their place of employment.
Then there are the countless startups where the boss has decided they don't need to worry about security so their communal password is "password" and they keep their user database in plain text. Nobody takes security seriously until it blows up. And that tends to be the common attitude from business management: worry about it when it's a problem.
This example isn't particularly good: I'm much more likely to lose a random keycard in my pocket than my wallet so, although having the keycard in my wallet might make it easier to figure out what door it opens, it also makes it much less likely that I'd lose my keycard in the first place.
On this example, I don't think it's a problem as well. First, the keycard has a PIN. After 3 failed attempts, it would either self-destruct the private key or lock itself down until a secret recovery code is provided. Second, private keys on keycards that are reported as lost can be revoked immediately.
China is setting an example here that intellectual property laws are to be taken seriously. It's not clear whether this particular case was intentional or not, but in general greater IP protection in China is definitely a good thing.
If you accidentally run someone over with a car, then there was definitely a failure of something, but it wasn't a moral failing. Punishment should never be used when correcting the underlying problem will have a more lasting positive impact.
In the car example, what do you think would be better - jailing the person who drove the car, or developing systems to prevent future such accidents?
Well yeah obviously. The question is whether an individual should go to jail because of negligence.
Obviously, there is a real "It depends". Hit and kill an individual with your car because you were distracted? That could mean jail. Accidentally pushed code to the wrong repo? Should that mean jail time?
That's pretty lame, especially considering DJI's abysmal security practices.
For the Phantom 2, I think the root password to ssh into the drone was something like "12341234". For the Phantom 3, they make it more secure by upgrading the password to "Big~9China".
Just curious, do you have any pictures from your drone at various heights? I don't have a gps/barometer on my drone yet and I'm curious how high say 300 ft looks like.
Don't know, sorry. It might be worth checking if that limit is enforced on the drone itself or the app. At least for the older drones, things like no fly zones around airports were only in the app. Messing with the firmware of the actual drone seemed nontrivial.
Why aren't we questioning the fact that there were secrets stored in Git? This is terrible security practice, and this fallout is exactly the kind of issues we should expect to happen as consequence.
65 comments
[ 3.5 ms ] story [ 130 ms ] threadThe only reason I can think of to not mention the nation that jailed someone for accidentally leaking their employers keys would be because the default assumption would be they are an American.
This wasn't a hack, there was no criminal intent. I think most people assume that the worst consequence for an accident like this is losing your job. The absurdity here is being fined, jailed, and receiving a criminal record.
The Register decided that adding the nationality was good for clicks. :(
> "Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize." - https://news.ycombinator.com/newsguidelines.html
Register "post" - The Register is not a Chinese publication. The nation/legal system involved can't be assumed from the source, and is a vital part of the story since it's about a legal matter.
> "the Shenzhen Municipal People's Procuratorate – the local version of the Crown Prosecution Service – successfully prosecuted the developer in early April, before the Shenzhen District Court."
Had The Register _not_ included "Chinese" it could have been accused of "click baiting" since the Register's predominantly non Chinese[1] readership might have thought this was about laws that applied to them and clicked through.
Had the source been a Chinese publication writing about a American developer jailed, I'd imagine they would use "American dev jailed..." for exactly the same reasons.
1. "The Register is a leading global online tech publication, with more than nine million monthly unique browsers worldwide. The core audiences are the UK and US, accounting for more than six million. The bulk of the remaining readership are located in Canada, Australia and northern Europe." - https://www.theregister.co.uk/Profile/about_the_register/
I understand HN guideline here. I am talking about the Guardian's post.
Leaking private information to the public even unintentionally , that compromise the security of software and may cause public harm is illegal no matter which country you go. So the nationality of the one who leaked it is irrelevant as far as I am concerned.
By this principle it's not a crime for a delvery man to be in posession of contraband that he has no knowledge of. This isn't to be confused with not knowing something is illegal. That's no defense. It's about knowing or not knowing the consequences of your action.
That said there are lesser offences, misdemenors or summary offences, where mens rea is not required. They usually have fines but also can have limited jail time. For example, you can be punished for speeding and whether you knew you were doing it or not is irrelevent.
What's unclear in this case is whether the developer knew or ought to have known there were secrets in the code, or that his push was to a public place. It's also unclear, at least to me, whether Chinese law requires mens rea.
Human elected leader of country.
Weather occurring in geographic region.
Team lost game. Team won game. There will be more games.
Human incarcerated after conviction of crime.
Click and see, it's fascinating.
* GitHub commit search: “remove private key”
https://news.ycombinator.com/item?id=14262124
Although most keys removed are just useless automatically generated test keys, but genuine keys do exist. Someone should write a crawler to monitor these commits, creates digital signatures from private keys to prove the leak, and notify the CA issuer to revoke them automatically.
Sued and jailed for submitting vulnerability. Open through google search. https://www.caixinglobal.com/2016-10-17/are-chinas-ethical-h...
Until 2016, when the government arrested its founders.
* WSJ: China’s ‘White-Hat’ Hackers Fear Dark Times After Community Founder Is Detained
https://blogs.wsj.com/chinarealtime/2016/08/01/chinas-white-...
* China Arrests 10 White Hats from WooYoun Ethical Hacking Community
https://news.softpedia.com/news/china-arrests-10-white-hats-...
> "I am done. I will go to jail, and I have to take this stain ... in my life. My girlfriend begin to break up with me, woooo, my family are broken. Fuck!!! What are terrible things! Maybe the only thing I can do now is to die; it is so hard. I need to be free.”
This is horrifying. It honestly makes me feel sick for this poor developer. Companies and nations this cruel have no place in modern society.
But also, this person is only facing six months and $30,000. That is no reason to consider suicide. Of course it sucks, but their life isn't over.
The similarity is the ott aspect.
Feel free to ask more questions.
That's exactly the direction modern society IS moving towards
I'm making no comment on if the punishment fit the crime, just that by reading the article it does seem that this was very much intentional.
Like it's easy to make the same mistake if you weren't alerted to it the first time.
If this guy was going for intentional sabotage, why not sell the keys on the dark web? Why not anonymously publish them on pastebin?
Why would he just upload them to github under his own name?
For example, I worked in a place which hires co-op students and every year there'd be at least one university-educated student who --after being told not to-- would put their nondescript FOB security key card in their wallet. In the event they lose their wallet, any stranger can google the name found on their drivers license to find out information about them, their friends, or their place of employment.
Then there are the countless startups where the boss has decided they don't need to worry about security so their communal password is "password" and they keep their user database in plain text. Nobody takes security seriously until it blows up. And that tends to be the common attitude from business management: worry about it when it's a problem.
On this example, I don't think it's a problem as well. First, the keycard has a PIN. After 3 failed attempts, it would either self-destruct the private key or lock itself down until a secret recovery code is provided. Second, private keys on keycards that are reported as lost can be revoked immediately.
But what specifically are they supposed to do with the security key card? What mode of securing and transportation do you envision?
If you accidentally run someone over with a car, then there was definitely a failure of something, but it wasn't a moral failing. Punishment should never be used when correcting the underlying problem will have a more lasting positive impact.
In the car example, what do you think would be better - jailing the person who drove the car, or developing systems to prevent future such accidents?
Obviously, there is a real "It depends". Hit and kill an individual with your car because you were distracted? That could mean jail. Accidentally pushed code to the wrong repo? Should that mean jail time?
For the Phantom 2, I think the root password to ssh into the drone was something like "12341234". For the Phantom 3, they make it more secure by upgrading the password to "Big~9China".
https://www.youtube.com/watch?v=1sC5cnm3zVQ